PS 4 PERSONNEL TERMINATION - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

PS-4 PERSONNEL TERMINATION

Control: Upon termination of individual employment:

  • a. Disable system access within [ Assignment: organization-defined time period ];
  • b. Terminate or revoke any authenticators and credentials associated with the individual;
  • c. Conduct exit interviews that include a discussion of [ Assignment: organization-defined information security topics ];
  • d. Retrieve all security-related organizational system-related property; and
  • e. Retain access to organizational information and systems formerly controlled by terminated individual.

Discussion: System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified.

Related Controls: AC-2, IA-4, PE-2, PM-12, PS-6, PS-7.

Control Enhancements:

  • (1) PERSONNEL TERMINATION / POST-EMPLOYMENT REQUIREMENTS

    • (a) Notify terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and
    • (b) Require terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process.

    Discussion: Organizations consult with the Office of the General Counsel regarding matters of post-employment requirements on terminated individuals.

    Related Controls: None.

  • (2) PERSONNEL TERMINATION / AUTOMATED ACTIONS
    Use [ Assignment: organization-defined automated mechanisms ] to [ Selection (one or more): notify [ Assignment: organization-defined personnel or roles ] of individual termination actions ; disable access to system resources ].

    Discussion: In organizations with many employees, not all personnel who need to know about termination actions receive the appropriate notifications, or if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to organizational personnel or roles when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including via telephone, electronic mail, text message, or websites. Automated mechanisms can also be employed to quickly and thoroughly disable access to system resources after an employee is terminated.

    Related Controls: None.

References: None.

⚠️ **GitHub.com Fallback** ⚠️